From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Girish Moodalbail <girish.moodalbail@oracle.com>
Cc: syzbot
<bot+643ecad3f5bb49700e839363b608c4928f6db8f0@syzkaller.appspotmail.com>,
davem@davemloft.net, netdev@vger.kernel.org,
rds-devel@oss.oracle.com, santosh.shilimkar@oracle.com,
syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in rds_tcp_dev_event
Date: Tue, 14 Nov 2017 08:22:21 -0500 [thread overview]
Message-ID: <20171114132221.GB1980@oracle.com> (raw)
In-Reply-To: <9e71dff9-7ba8-a3c2-6862-fb8557546a54@oracle.com>
A few questions.
- First off, why am I not seeing the original mail in this thread
even when I search the mail archives, e.g.,
https://lkml.org/lkml/2017/11/13/954
- Girish Moodalbail writes:
> The issue here is that we are trying to reference a network namespace
> (struct net *) that is long gone (i.e., L532 below -- c_net is the culprit).
The netns is not "long gone", we are still processing
the NETDEV_UNREGISTER_FINAL for loopback. As I said in my
earlier mail, the idea is to extract the list of unique conns
that belong to the netns and then destroy both the conn, and
all associated paths. Thus there can only be a single thread
going through rds_tcp_kill_sock at any time (since we should
only get the unregister_final/loopback one time for the netns).
(See alos comment block in rds_tcp_dev_event about network activity
quiescing). Thus there should be no concurrency issue.
However when I just ehecked this, there may be some rds connection
refcounting bug. When I quickly tested this, I'm not seeing the
expected calls to conn_path_destroy. I'll need some time to take
a look, this has been known to work, so something got broken along
the way
> I think we should move away from global list to a per-namespace list. The
> global list are used only in two places (both of which are per-namespace
> operations):
let's first understand the real root-cause before we start
redesigning data-structures.
--Sowmini
next prev parent reply other threads:[~2017-11-14 13:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 20:28 KASAN: use-after-free Read in rds_tcp_dev_event syzbot
2017-11-14 3:30 ` Girish Moodalbail
[not found] ` <9e71dff9-7ba8-a3c2-6862-fb8557546a54-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-11-14 6:57 ` Sowmini Varadhan
2017-11-14 13:22 ` Sowmini Varadhan [this message]
2017-11-14 14:04 ` Dmitry Vyukov
2017-11-14 14:26 ` Dmitry Vyukov
2017-11-14 18:02 ` Girish Moodalbail
2018-02-13 18:52 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171114132221.GB1980@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=bot+643ecad3f5bb49700e839363b608c4928f6db8f0@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=girish.moodalbail@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=rds-devel@oss.oracle.com \
--cc=santosh.shilimkar@oracle.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).